[Touch-packages] [Bug 2048092] Re: [low-priority SRU] Fix CVE-2022-0563 in source
The remaining autopkgtest failures are due to the following unrelated bugs: cmake-extras/armhf: bug 2052360 livecd-rootfs/amd64: bug 2045586 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2048092 Title: [low-priority SRU] Fix CVE-2022-0563 in source Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Jammy: Fix Committed Status in util-linux source package in Lunar: Fix Released Status in util-linux source package in Mantic: Fix Released Status in util-linux source package in Noble: Fix Released Bug description: [Impact] We did not fix this CVE in Ubuntu because we do not build the impacted binaries (we use --disable-chfn-chsh). However, some users are known to build their own binaries from this Ubuntu source and therefore could be impacted. [Test Plan] Since there is no impact to Ubuntu binaries, there is no functional change to verify. Regression testing using the existing build-time tests and autopkgtests should suffice. We should also verify that util-linux source builds fine w/ chfn and chsh enabled after applying this patch - otherwise it is really helping no one. [Where problems could occur] The upstream patch is clearly restricted to the chfn chsh binaries, which are not compiled by Ubuntu, so I don't see a risk there. I do see a risk that this is used as a precedent to fix other no-impact-to-Ubuntu security issues in other source - say, just to silence 3rd party security scanners. I do not intend to set such a precedent here, and suggest we consider them only on a case-by-case basis. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2048092/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2048092] Re: [low-priority SRU] Fix CVE-2022-0563 in source
I'll also note that the patch actually disables `libreadline` support in chfn/chsh, so whoever was rebuilding these from source will get this change in behavior. But that's how upstream decided to handle this going forward. ** Changed in: util-linux (Ubuntu Jammy) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2048092 Title: [low-priority SRU] Fix CVE-2022-0563 in source Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Jammy: Fix Committed Status in util-linux source package in Lunar: Fix Released Status in util-linux source package in Mantic: Fix Released Status in util-linux source package in Noble: Fix Released Bug description: [Impact] We did not fix this CVE in Ubuntu because we do not build the impacted binaries (we use --disable-chfn-chsh). However, some users are known to build their own binaries from this Ubuntu source and therefore could be impacted. [Test Plan] Since there is no impact to Ubuntu binaries, there is no functional change to verify. Regression testing using the existing build-time tests and autopkgtests should suffice. We should also verify that util-linux source builds fine w/ chfn and chsh enabled after applying this patch - otherwise it is really helping no one. [Where problems could occur] The upstream patch is clearly restricted to the chfn chsh binaries, which are not compiled by Ubuntu, so I don't see a risk there. I do see a risk that this is used as a precedent to fix other no-impact-to-Ubuntu security issues in other source - say, just to silence 3rd party security scanners. I do not intend to set such a precedent here, and suggest we consider them only on a case-by-case basis. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2048092/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2048092] Re: [low-priority SRU] Fix CVE-2022-0563 in source
@ahasenack - thanks for asking these questions. I do know of a user rebuilding jammy's util-linux. The build recipe I've seen installs these binaries. I don't know the risk that they might become setuid. This CVE I noticed as being fixed in a later version of util-linux, but not in jammy. I then looked it up in our CVE tracker and saw why we had chosen not to patch it. To verify that the code inside is not used, I used inotifywait during the build to watch for processes opening these .c files. Each file is opened exactly twice - both times during the dh-autoreconf phase, where it collects a checksum before and after using md5sum. Neither file is opened again. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2048092 Title: [low-priority SRU] Fix CVE-2022-0563 in source Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Jammy: In Progress Status in util-linux source package in Lunar: Fix Released Status in util-linux source package in Mantic: Fix Released Status in util-linux source package in Noble: Fix Released Bug description: [Impact] We did not fix this CVE in Ubuntu because we do not build the impacted binaries (we use --disable-chfn-chsh). However, some users are known to build their own binaries from this Ubuntu source and therefore could be impacted. [Test Plan] Since there is no impact to Ubuntu binaries, there is no functional change to verify. Regression testing using the existing build-time tests and autopkgtests should suffice. We should also verify that util-linux source builds fine w/ chfn and chsh enabled after applying this patch - otherwise it is really helping no one. [Where problems could occur] The upstream patch is clearly restricted to the chfn chsh binaries, which are not compiled by Ubuntu, so I don't see a risk there. I do see a risk that this is used as a precedent to fix other no-impact-to-Ubuntu security issues in other source - say, just to silence 3rd party security scanners. I do not intend to set such a precedent here, and suggest we consider them only on a case-by-case basis. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2048092/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2048092] Re: [low-priority SRU] Fix CVE-2022-0563 in source
> However, some users are known to build their own binaries from this Ubuntu > source and therefore could be > impacted. Do you know of users rebuilding specifically util-linux and enabling those tools? What was it about this specific CVE and specifically util- linux that caught your attention and made you want to propose this SRU? I see the patches only affect the binaries we don't ship, but have you also made sure that no other tools or files from the package include the affected code in their build? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2048092 Title: [low-priority SRU] Fix CVE-2022-0563 in source Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Jammy: In Progress Status in util-linux source package in Lunar: Fix Released Status in util-linux source package in Mantic: Fix Released Status in util-linux source package in Noble: Fix Released Bug description: [Impact] We did not fix this CVE in Ubuntu because we do not build the impacted binaries (we use --disable-chfn-chsh). However, some users are known to build their own binaries from this Ubuntu source and therefore could be impacted. [Test Plan] Since there is no impact to Ubuntu binaries, there is no functional change to verify. Regression testing using the existing build-time tests and autopkgtests should suffice. We should also verify that util-linux source builds fine w/ chfn and chsh enabled after applying this patch - otherwise it is really helping no one. [Where problems could occur] The upstream patch is clearly restricted to the chfn chsh binaries, which are not compiled by Ubuntu, so I don't see a risk there. I do see a risk that this is used as a precedent to fix other no-impact-to-Ubuntu security issues in other source - say, just to silence 3rd party security scanners. I do not intend to set such a precedent here, and suggest we consider them only on a case-by-case basis. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2048092/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2048092] Re: [low-priority SRU] Fix CVE-2022-0563 in source
** Also affects: util-linux (Ubuntu Noble) Importance: Undecided Status: Fix Released ** Also affects: util-linux (Ubuntu Mantic) Importance: Undecided Status: New ** Also affects: util-linux (Ubuntu Lunar) Importance: Undecided Status: New ** Changed in: util-linux (Ubuntu Mantic) Status: New => Fix Released ** Changed in: util-linux (Ubuntu Lunar) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to util-linux in Ubuntu. https://bugs.launchpad.net/bugs/2048092 Title: [low-priority SRU] Fix CVE-2022-0563 in source Status in util-linux package in Ubuntu: Fix Released Status in util-linux source package in Jammy: In Progress Status in util-linux source package in Lunar: Fix Released Status in util-linux source package in Mantic: Fix Released Status in util-linux source package in Noble: Fix Released Bug description: [Impact] We did not fix this CVE in Ubuntu because we do not build the impacted binaries (we use --disable-chfn-chsh). However, some users are known to build their own binaries from this Ubuntu source and therefore could be impacted. [Test Plan] Since there is no impact to Ubuntu binaries, there is no functional change to verify. Regression testing using the existing build-time tests and autopkgtests should suffice. We should also verify that util-linux source builds fine w/ chfn and chsh enabled after applying this patch - otherwise it is really helping no one. [Where problems could occur] The upstream patch is clearly restricted to the chfn chsh binaries, which are not compiled by Ubuntu, so I don't see a risk there. I do see a risk that this is used as a precedent to fix other no-impact-to-Ubuntu security issues in other source - say, just to silence 3rd party security scanners. I do not intend to set such a precedent here, and suggest we consider them only on a case-by-case basis. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/2048092/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
